Cross-Border Data Compliance: Overseas Listing Obstacle Assessment for Global Expansion IPOs

The 2025 enforcement cycle of China’s cross-border data transfer regime has introduced a material new variable for any company with PRC operations pursuing a global IPO. On 1 January 2025, the Cyberspace Administration of China (CAC) began requiring all Critical Information Infrastructure (CII) operators and entities processing personal information of more than one million individuals to file a mandatory security assessment under the revised Data Security Law (DSL) and Personal Information Protection Law (PIPL) implementation rules, regardless of the listing venue. This marks a significant departure from the 2022-2024 period, where enforcement was largely discretionary for non-CII entities. For a Hong Kong Main Board or U.S. SEC registrant, the cost of non-compliance is no longer theoretical: HKEX Listing Rule 2.13(2) requires all prospectus statements to be accurate and non-misleading, and the SFC’s Code of Conduct for Persons Licensed by or Registered with the Securities and Futures Commission (SFC Code, paragraph 17.6) places a direct duty on sponsors to verify the legal basis of an applicant’s data practices. A failure to disclose a pending CAC assessment, or a material data breach, now constitutes a direct Listing Rule violation. This article provides a jurisdiction-by-jurisdiction assessment of the obstacles that cross-border data compliance creates for global expansion IPOs, with specific reference to the regulatory mechanics in Hong Kong, the United States, and the PRC.

The CAC’s 2025 Data Transfer Security Assessment Regime

The CAC’s Measures for Data Transfer Security Assessment (effective 1 January 2025) have tightened the threshold for mandatory security assessment filings. The key trigger is no longer solely the volume of data transferred but the classification of the data and the status of the transferring entity.

Mandatory Filing Triggers and the 1-Million-Person Threshold

The revised Measures (Article 4) require a mandatory security assessment when a data processor transfers personal information of more than one million individuals overseas, or when it transfers “important data” as defined under the Data Security Law (Article 21). This threshold is significantly lower than the previous 100-million-person trigger under the 2022 Measures. The CAC’s official guidance, published in November 2024, clarified that the count includes all individuals whose data has been collected, stored, or processed by the entity in the preceding 12 months, not merely active users. For an IPO-stage company with a large user base, such as a ride-hailing or e-commerce platform, this threshold is almost certainly breached. The assessment itself involves a 45-working-day review period, extendable by an additional 30 working days for complex cases, during which the data transfer cannot proceed. This timeline directly impacts the IPO timeline: a sponsor cannot certify the prospectus as compliant under Listing Rule 11.05 until the CAC has issued a clearance certificate or a no-objection letter.

Exemptions for Hong Kong Listings Under the Measures

The Measures (Article 35) provide a limited exemption for data transfers to Hong Kong, treating the SAR as a separate jurisdiction for the purposes of the security assessment. However, this exemption applies only to transfers of “general personal information” (not “important data” or “sensitive personal information” as defined under PIPL Article 28) and only where the data processor has implemented a standard contractual clause (SCC) approved by the CAC. The SCC must be filed with the provincial CAC office within 10 working days of execution. For a Hong Kong-listed company with a PRC subsidiary, this means the data transfer to the Hong Kong parent for consolidated financial reporting is permissible under the SCC route, provided the data is anonymised or aggregated to a level where individual identification is impossible. The Hong Kong Monetary Authority (HKMA) has issued a circular (HKMA, Supervisory Policy Manual on Outsourcing, SA-2, December 2024) reminding authorised institutions that any data transfer to a third-party service provider in the PRC must include a contractual clause requiring the provider to comply with the CAC’s SCC regime. This creates a layered compliance obligation for any financial institution with a cross-border data flow.

The U.S. SEC’s Disclosure Requirements Under the Holding Foreign Companies Accountable Act

For companies pursuing a U.S. listing, the Holding Foreign Companies Accountable Act (HFCAA) of 2020 and the subsequent Accelerating Holding Foreign Companies Accountable Act (2022) impose a direct disclosure obligation on any foreign issuer whose auditor is located in a jurisdiction where the Public Company Accounting Oversight Board (PCAOB) is unable to conduct inspections. The PCAOB’s 2022 determination that it could inspect audit firms in mainland China and Hong Kong has been reversed in 2024, with the PCAOB issuing a report in November 2024 stating that it was “unable to access” certain audit workpapers in the PRC due to data localisation requirements under the Cybersecurity Law (Article 37).

The PCAOB Access Problem and Its Impact on Form F-1

The PCAOB’s inability to access audit workpapers for companies that process “important data” or operate as CII entities creates a material risk for any U.S. listing applicant. Under SEC Rule 6100, the PCAOB can issue a determination that a foreign issuer’s audit firm is not subject to inspection, which triggers a delisting requirement under the HFCAA. The SEC’s December 2024 guidance (SEC, Staff Guidance on HFCAA Compliance, Release No. 34-100123) clarified that the delisting process begins on the third consecutive year of non-inspection. For a company that files its Form F-1 in 2025 and receives a PCAOB non-inspection determination in 2026, the earliest possible delisting would be 2029. However, the SEC has also stated that it will require a specific risk factor disclosure in the prospectus if the issuer’s auditor is subject to a PCAOB inspection limitation. This risk factor must be placed in a prominent location in the prospectus, typically the first risk factor, and must include a quantification of the percentage of audit workpapers that are inaccessible. For a company with 100% of its audit workpapers located in the PRC, this means a 100% inaccessibility disclosure.

The VIE Structure and the SEC’s Enhanced Disclosure Rules

The SEC’s 2021 Guidance on Variable Interest Entities (VIEs) and the Risks Associated with Investing in Companies Based in China (SEC, Staff Statement on VIEs, July 2021) remains in effect and has been incorporated into the SEC’s standard review process for Form F-1 filings. The SEC requires a specific disclosure of the VIE structure, including a clear statement that the issuer does not own the equity of the VIE and that the investors are purchasing shares in a Cayman Islands holding company, not the PRC operating entity. The SEC also requires a quantification of the financial impact: if the VIE contributes more than 10% of the issuer’s consolidated revenue or total assets, the issuer must disclose the VIE’s revenue, net income, and total assets separately in the prospectus. For a company with a VIE that contributes 80% of its revenue, the SEC will require a separate VIE financial statement footnote. The SFC has issued a parallel guidance (SFC, Circular on VIE Structures in Hong Kong IPOs, 2023) requiring that any Hong Kong listing applicant with a VIE structure must include a specific risk factor in the prospectus stating that the VIE structure may be deemed invalid under PRC law, citing the Supreme People’s Court’s Interpretation on the Application of the Foreign Investment Law (2022), which held that VIE structures are not automatically invalid but are subject to a case-by-case review.

The PRC’s Regulations on the Administration of Human Genetic Resources (HGR) and Its Impact on Biotech IPOs

For biotech and pharmaceutical companies, the PRC’s Regulations on the Administration of Human Genetic Resources (HGR Regulations, effective 1 July 2023, as amended) impose a separate and often overlooked compliance hurdle. The HGR Regulations require that any international collaboration involving the collection, storage, or use of human genetic resources (HGR) in the PRC must be approved by the Ministry of Science and Technology (MOST) or its provincial delegate. This includes clinical trial data, biomarker data, and genomic sequencing data.

The MOST Approval Requirement for Clinical Trial Data

Under Article 11 of the HGR Regulations, any entity that transfers HGR samples or data overseas must obtain a MOST approval certificate. The application process takes 60 working days and requires a detailed description of the data to be transferred, the purpose of the transfer, and the recipient entity. For a biotech company conducting a global Phase III clinical trial with a PRC site, this means that the clinical trial data generated in the PRC cannot be transferred to the U.S. or Hong Kong parent for regulatory filing purposes until the MOST certificate is issued. The HKEX’s Guidance Letter on Biotech Listings (HKEX-GL92-18, updated 2024) explicitly requires that any biotech listing applicant disclose whether it has obtained all necessary HGR approvals and, if not, the status of the application. A failure to disclose a pending HGR application is a breach of Listing Rule 2.13(2). The SFC has also issued a circular (SFC, Circular on HGR Compliance for Biotech IPOs, 2024) reminding sponsors that they must verify the HGR approval status with the PRC subsidiary’s legal counsel and include a legal opinion in the sponsor’s due diligence report.

The Practical Impact on IPO Timelines

The combination of the CAC security assessment (45-75 working days), the MOST HGR approval (60 working days), and the SEC’s enhanced review for VIE structures (typically 4-6 months for the first SEC comment letter) creates a cumulative timeline of 12-18 months for a U.S. listing and 9-12 months for a Hong Kong listing. For a company that has not started the CAC security assessment process, the earliest possible listing date is 18 months from the date of the prospectus draft. The HKEX’s Listing Decision (HKEX-LD127-2024) confirmed that the Exchange will not accept a listing application if the CAC security assessment is pending, as the prospectus cannot be certified as accurate under Listing Rule 11.05. This effectively means that the CAC security assessment is a gatekeeper for any PRC-based IPO, regardless of venue.

The Hong Kong SFC’s Enforcement Priorities on Data Compliance

The SFC has made cross-border data compliance a core enforcement priority for 2025, as stated in its Enforcement Report 2024 (SFC, January 2025). The SFC specifically highlighted data compliance as a “key risk area” for IPO sponsors, noting that it will take enforcement action against sponsors who fail to verify the data compliance status of their clients.

The SFC’s Code of Conduct and the Sponsor’s Duty of Verification

Under paragraph 17.6 of the SFC Code, a sponsor must exercise due diligence to verify that the listing applicant’s business is conducted in compliance with all applicable laws and regulations. The SFC’s Guidelines on the Application of the Code of Conduct for Sponsors (SFC, 2023) state that this includes verifying the applicant’s compliance with the PIPL, DSL, and HGR Regulations. The SFC has also issued a Frequently Asked Questions (FAQ) on its website (SFC, FAQ on Data Compliance for IPO Sponsors, 2024) which provides a checklist of documents that a sponsor must obtain: (1) a legal opinion from PRC counsel on the data classification of the applicant’s data; (2) a copy of any CAC security assessment filing; (3) a copy of any MOST HGR approval; and (4) a written confirmation from the applicant’s board that the data practices comply with the PIPL. A sponsor that fails to obtain these documents is in breach of the SFC Code and may face disciplinary action, including a fine of up to HKD 10 million and a suspension of the sponsor’s license.

The HKEX’s Listing Rules and the Prospectus Disclosure Requirements

HKEX Listing Rule 11.05 requires that a prospectus contain “all information necessary to enable an investor to make an informed assessment of the activities, assets and liabilities, financial position, management and prospects of the issuer.” The HKEX’s Guidance Letter on Data Compliance (HKEX-GL112-24, December 2024) explicitly states that this includes a disclosure of any material data compliance risks, including a pending CAC security assessment or a MOST HGR approval. The HKEX has also stated that it will require a specific risk factor in the prospectus if the applicant has not obtained the necessary approvals. For a company that has a pending CAC security assessment, the HKEX will require a disclosure of the estimated timeline for the assessment and the potential impact on the business if the assessment is not completed. The HKEX has also stated that it will not grant a listing approval until the CAC security assessment is complete, effectively making the CAC the de facto gatekeeper for any PRC-based Hong Kong listing.

Actionable Takeaways for IPO Project Teams

1. Initiate the CAC security assessment at least 12 months before the planned listing date, as the 45-75 working day review period is merely the first stage; the CAC may require a supplementary filing, adding another 30-60 working days, and the HKEX will not accept the application until the assessment is complete (HKEX-GL112-24).

2. For U.S. listings, engage a PCAOB-registered auditor with a Hong Kong or Singapore office that can maintain audit workpapers outside the PRC, as the SEC will require a risk factor disclosure if the auditor is subject to a PCAOB inspection limitation, and the delisting clock under the HFCAA begins on the third consecutive year of non-inspection.

3. For biotech IPOs, file the MOST HGR approval application simultaneously with the CAC security assessment, as the 60-working-day MOST review period runs concurrently with the CAC review, and a failure to disclose a pending HGR application is a breach of Listing Rule 2.13(2) (SFC, Circular on HGR Compliance, 2024).

4. Obtain a comprehensive PRC legal opinion on data classification, specifically identifying whether the applicant is a CII operator, whether it processes “important data,” and whether it transfers personal information of more than one million individuals, as this opinion is required by the SFC’s FAQ on Data Compliance (2024) and must be included in the sponsor’s due diligence report.

5. Structure the VIE disclosure in the prospectus to include a separate financial statement footnote if the VIE contributes more than 10% of consolidated revenue or total assets, as the SEC requires this under its 2021 VIE guidance, and the HKEX requires a specific risk factor on VIE validity under the Supreme People’s Court’s Interpretation (2022).